Targeted Trojan-Assisted Data Theft

Varonis comments on the new wave of trojan malware using windows update data streams

Commenting on reports that targeted trojan malware is using data streams formatted as an Microsoft Windows Update to communicate back to base, Varonis Systems says that this type of targeted and automated attack vector highlights the need for a similarly automated approach to data governance.

David Gibson, director of technical strategy with the data governance specialist, says that the trojan attack, which has been analyzed by colleagues from Seculert and Zscaler, appears to have targeted a number of U.S. government agencies and allied organizations.

This attack reportedly exploited a vulnerability in Adobe Reader to install a Remote Access Trojan (RAT). A PDF, disguised as a conference invitation, was sent to specific individuals via email. When the attachment was opened, the Trojan was installed on the victim’s workstations, allowing the attacker to control it clandestinely, apparently camouflaging its traffic and binary files to look like normal Windows update behaviour.

“It’s bad enough that data on the infected workstations is compromised. What’s worse is that by controlling a system inside the organization’s perimeter defenses, the attackers often have wide, unmonitored access to network file shares, SharePoint sites, and mailboxes, and the scope of the breach expands exponentially. Sensitive data usually stored all over the network is up for grabs with no notice.”

The data on file shares and other unstructured platforms has grown so quickly that organizations have been unable to keep up with basic access control tasks - users have access to far more data than they require, much of it is sensitive, and many folders and files are accessible to large numbers of employees. In most cases there is also no record of who is actually accessing data on these platforms, as this kind of auditing has been traditionally unavailable and/or unrealistic.

This is, Gibson explained, a data governance specialist’s worst nightmare: a compromised computer siphoning data from your valuable data stores and an inability to detect data flowing from them, and then a leak to an outside organization.

Workstations are going to be compromised, and some employees will steal. The way to minimize the threat is to use automation to restrict what every user (and workstation) has access to, monitor and analyse all use, and alert on potential abuse.

And, he adds, whether the data is structured or unstructured (the latter is far more difficult to track), an automated data governance system can restrict excessive access, audit all use, and alert on anomalous usage so a security professional can analyze what is happening.

Attackers will be not necessarily be stopped in their tracks, but automated data governance makes their job more arduous, and makes it far more difficult to evade detection.

“Using sophisticated data governance technology in this context acts as a safety net that prevents a data breach from occurring - even in the face of a successful malware infection within the organization’s network perimeter,” said Gibson.